Email a friend

To

From

Thank you

Your message has been sent.

Sorry

There was an error emailing this page.

Build your own IPv6 lab on the cheap, part 2

FREE

Become An Insider

Sign up now and get free access to
hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content
from the best tech brands on the Internet: CIO, CSO, Computerworld, InfoWorld,
IT World and Network World Learn more.

You're so close to creating your own IPv6-ready lab -- now InfoWorld's Matt Prigge takes you through the final steps

Last week, we took a look at how to make the transition from IPv4 to IPv6 using nothing but standard equipment you probably already own. This week, you can wrap up your project with the details below.

Building an IPv6 tunnel

Since your ISP almost definitely doesn't deliver IPv6 yet, you'll need to build a tunnel across the IPv4 Internet to someone who can gateway you onto the IPv6 Internet. In this case, I used Hurricane Electric's free IPv6 tunnel broker service. You'll need to sign up for an account (a fairly painless process) before you can create a new tunnel.

To do that, you'll need to know the outside interface IP of the router. If you create the tunnel from behind the firewall, the Create Tunnel dialog will tell you the originating IP. If not, you can run show interfaces ethernet to see what IP your ISP has doled out.

Essentially what that does is creates a new IPv6 tunnel interface (tun0), configures its local and remote endpoints, sets the local IPv6 address of your end of that tunnel, and issues an IPv6 default route that points to the other end of the tunnel.

One critical note: This block of configuration does not filter any traffic passing over that tunnel. If you hit Commit at the end of the given block, you've opened the outside interface of your router to any and all IPv6 traffic from anywhere.

For a very long time, everyone has been very accustomed to using NAT to hide their internally addressed networks (courtesy of RFC1918 address blocks such as 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16, for example). The real reason for this: It'd be impractical to use external addressing for every network -- we would have been out of address space years ago. However, as a side effect, you can't directly reach internal hosts from the outside unless you specifically poke a hole in your firewall by implementing an external-to-internal NAT translation.

That's one of the first basic lessons to learn about IPv6. There is no NAT in the IPv6 standard because there's no need for it -- the address space consumption issues present in IPv4 simply don't exist in IPv6. As a consequence, any internal IPv6 hosts you have are directly accessible by their "real" addresses unless you put in rules to block the traffic.

That's the next job. First, a rule to control access to the tun0 interface on the router itself (again, allowing ICMP so that we can ping it from the outside):

Then apply both of these rules to the tun0 interface:

set interfaces tunnel tun0 firewall in ipv6-name 'tun-in'

set interfaces tunnel tun0 firewall local ipv6-name 'tun-local'

set firewall ipv6-name tun-in default-action 'drop'

At this point, you should be able to ping from the router out to the other end of the IPv6 tunnel (this IPv6 IP will be listed in the Hurricane Electric Tunnel Details dialog next to Server IPv6 Address):

ping6 2001:470:XXXX:XXXX::1

If you get replies, you've done well up to this point.

After you commit those two sections to the configuration, any IPv6-enabled host on your network will automatically address themselves within that network block and be ready to access the internet via IPv6. If you're using Microsoft Windows Vista or Windows 7 and haven't disabled IPv6, you'll almost immediately see the "new network" dialog pop up. Testing should be as simple as hitting a known IPv6-only site. If you can get there, you're good to go. You're now running a basic, dual-stack IPv4/IPv6 network.

Other projects

After you're all set up, you can keep busy with a number of other projects. For example, if you have a few NICs you can toss into your router or a switch that's capable of VLAN tagging, you can allocate a /48 for your tunnel and carve out extra networks and configure routing and firewalling between them. Hurricane Electric has a great set of "certifications" that you can register for and attempt to complete -- many of which will require you to set up various servers (mail, DNS, and so on) on your IPv6 space and make them accessible to the IPv6 Internet.

If you get the time to do it, running through this process will bring you up to speed and give you the basic tools you'll need to survive in a post-IPv4 world. Instead of lagging behind the curve when the IPv6 hammer falls, you'll be ready.